Installation de Kanet / Shibboleth pour Fedora / Red Hat

Résumé

Cette documentation sur Kanet a été rédigée par Xavier Marty de l'Université de Toulouse 1 Capitole.
Elle détaille d'une part l'installation et la configuration de Kanet sous F13 et REHL 6 et d'autre part la configuration du proxy pour les trois méthodes d'authentification supportées par Kanet : CAS, Radius et Shibboleth.

Vous trouverez ici un tutoriel pas à pas relatif à l'installation et la configuration de Kanet pour Ubuntu 10.10.

Installation

Nécessite vala 0.11 minimum (cf fichier)

Quelques indications

  • Installation minimale
  • Activation du service network après installation (← pour F14)
  • Installation de quelques packages utiles
    yum install ntsysv wget openssh-clients mlocate ntp

Version FC14

Packages pour kanet

Installation possible mais problème pour la partie shibboleth
  • nécessité de recompilation
  • impossible d'utiliser les packages “officiels shibboleth” du site opensuse à cause du package curl

  • Nécessaire
    yum install gcc
    yum install libgee-devel sqlite-devel libsoup-devel json-glib-devel libdaemon-devel radiusclient-ng-devel
    yum install libnetfilter_conntrack-devel libnetfilter_queue-devel
  • Mise à jour du vala
    yum install gnome-common intltool libtool
    rpm -Uvh vala-0.11.2-1.fc15.i686.rpm vala-tools-0.11.2-1.fc15.i686.rpm vala-devel-0.11.2-1.fc15.i686.rpm

Version Centos 5

Packages obsolètes

Version RHEL 6

  • Ajout base epel
    rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
  • Packages nécessaires pour kanet
    yum install gcc kernel-headers
    yum install libsoup-devel sqlite-devel libgee-devel
    yum install json-c-devel radiusclient-ng radiusclient-ng-devel
    yum install gnome-common intltool libtool
  • Packages installations à la main … récupérer depuis la distribution fedora : http://MIRROIR_FEDORA/pub/fedora/linux/releases/14/Everything/i386/os/Packages/
    rpm -Uvh json-glib-*
    rpm -Uvh libdaemon-*
    rpm -Uvh libnfnetlink-* libnetfilter_*
    rpm -Uvh vala-*

    Liste des packages installés en janvier 2011

    json-glib-0.10.4-3.fc14.i686.rpm
    json-glib-devel-0.10.4-3.fc14.i686.rpm
    libdaemon-0.14-1.fc13.i686.rpm
    libdaemon-devel-0.14-1.fc13.i686.rpm
    libnetfilter_conntrack-0.0.101-1.fc13.i686.rpm
    libnetfilter_conntrack-devel-0.0.101-1.fc13.i686.rpm
    libnetfilter_queue-0.0.17-2.fc12.i686.rpm
    libnetfilter_queue-devel-0.0.17-2.fc12.i686.rpm
    libnfnetlink-1.0.0-1.fc13.i686.rpm
    libnfnetlink-devel-1.0.0-1.fc13.i686.rpm
    vala-0.11.2-1.fc15.i686.rpm
    vala-devel-0.11.2-1.fc15.i686.rpm
    vala-tools-0.11.2-1.fc15.i686.rpm

Packages services

yum install dnsmasq dhcp httpd mod_ssl

Récupération de kanet

wget http://kanet.googlecode.com/files/kanet-0.2.3.tar.bz2

Compilation

  • Commande
./waf configure # 1
./waf # 2
./waf install
  • Modifier wscript

Adapter si nécessaire le fichier wscript à la racine du dossier kanet.
Il faut modifier l'appel au vala. Par défaut l'application recherche vala, sous RedHat, il s'agit de libvala :

# ...
conf.check_cfg(package='libvala-0.12', uselib_store='VALA', atleast_version='0.7.10', args='--cflags --libs', mandatory=True)
# ...

Configuration


  • Liens symboliques : on recopie des librairies depuis /usr/local/lib/ dans /usr/lib/
cd /usr/local/lib/
cp lib* /usr/lib/

3 librairies présentes : libKanetAuthModule.so / libkanet-dummy.so / libkanet-radiusclient.so
  • Modifier le fichier hosts en rajoutant la ligne
    10.34.0.1 eduspot eduspot.univ.fr
  • Interface interne, fichier ifcfg-eth1
    DEVICE="eth1"
    HWADDR="MA-MAC"
    IPADDR=10.34.0.1
    NETMASK=255.255.0.0
    NM_CONTROLLED="yes"
    ONBOOT="yes"

  • Activer les services au démarrage au démarrage –> httpd, dhcp, dnsmasq, shibd (cf plus bas pour ce dernier)
  • Configuration dhcpd.conf
    #
    # DHCP Server Configuration file.
    # see /usr/share/doc/dhcp*/dhcpd.conf.sample
    # see 'man 5 dhcpd.conf'
    #
    ddns-updates off;
    option domain-name-servers 10.34.0.1;
     
    default-lease-time 600;
    max-lease-time 7200;
    authoritative;
     
    subnet 10.34.0.0 netmask 255.255.0.0 {
    option routers 10.34.0.1;
    option broadcast-address 10.34.255.255;
    range 10.34.1.0 10.34.254.255;
    }
  • Dnsmasq –> aucune configuration

Paramétrages

Configuration de kanet

kanet.conf

  • Emplacement /usr/local/etc/kanet/
  • Création d'un lien symbolique
    cd /etc
    ln -s /usr/local/etc/kanet/kanet.conf kanet.conf
  • Fichier
    *
    Configuration file for kanet
    */
     
    {
    /*
    Server configuration
    SERVER_MODE="STANDALONE" (default) or "PROXY"
    */

    "SERVER_MODE" : "PROXY",
    "SERVER_URL" : "https://eduspot.univ.fr",
    "SERVER_PORT" : "8181",
    "SERVER_IP" : "",
    "REDIRECT_SERVER_PORT" : "8080",
    "QUEUE_NUM" : "0",
    "SSL_CERT_FILE" : "/etc/kanet/ssl-kanet.crt",
    "SSL_KEY_FILE" : "/etc/kanet/ssl-kanet.key",
    "DEBUG" : "1",
    /*
    Persistent data,
    only sqlite is available.
    */

    "database" : "sqlite",
    "sqlite_connection_string" : "/usr/local/var/lib/kanet/kanet.sqlite",
    "mysql_connection_string" : "Server=xxx; Port=3306; Database=xxx; uid=xxx; pwd=xxx;",
    /*
    Server behavior
    */

    "login_page" : "https://eduspot.univ.fr/login.html",
    "captive_portal_page" : "https://eduspot.univ.fr/www/update.html",
    "cas_url" : "https://cas.univ.fr/cas/",
    "www_path" : "/var/www/html/",
    "module_path" : "/usr/lib",
    "auth_module_name" : "kanet-radiusclient",
     
     
    /*
    blacklist acls
    always rejected.
    */

    "KANET_ACL_TYPE_BLACKLIST": [
    { "address" : "127.0.0.1", "port" : 9090 },
    { "port" : 8089 }
    ],
    /*
    open acls
    always open
    */

    "KANET_ACL_TYPE_OPEN": [
    { "address" : "cas.univ.fr" },
    { "address" : "idp.univ.fr" },
    { "address" : "ocsp.tcs.terena.org" },
    { "address" : "ocsp.usertrust.com" },
    { "address" : "services-federation.renater.fr" }
    //{ "address" : "www.univ.fr", "port" : 443 },
    //{ "port" : 60 }
    ],
    /*
    default acls
    open to authenticated users.
    */

    "KANET_ACL_TYPE_DEFAULT": [
    { "port" : 8089 },
    { "port" : 443 },
    { "port" : 80 }
    ],
     
    /* Admins : comma separated login list */
    "admins": "xmarty@cas",
    /*
    blacklist_part
    */

    "blacklist_users" : [
    { "login" : "colin", "message" : "hi foo ! you're login have been locked .." },
    { "login" : "johndoe", "message" : "hi john doe ! this account is locked .." }
    ],
    "default_blacklist_message" : "Your account have been locked",
     
    /*
    auto_blacklist_acl
    used to inform user they are probably infected, if a user try to join
    one of this address, the user is automatically blacklisted and the message
    display on is login window
    */

    "auto_blacklist_acls": [
    { "address" : "192.168.1.45", "message" : "You're account have been temporarily locked <br/> because you're probably infected by a virus" },
    { "port" : 45678, "message" : "You're account have been temporarily locked <br/> because you're probably infected by a virus" }
    ],
    /*
    quota, in bytes or seconds. 0 is unlimited.
    */

    "bytes_quota" : "0",
    "time_quota" : "0",
    /*
    message
    variables : $upbytes $downbytes $duration
    */

    "update_msg" : "Up : $upbytes, Down: $downbytes, Time: $duration",
    "over_quota_msg" : "Sorry you exceed your quota",
    "blacklist_msg" : "Sorry, you're account have been locked",
    "update_error_msg" : "An error occured during authentication process, please restart your browser"
     
    }

iptables

mkdir /usr/local/scripts/
vi kanet-firewall
#!/bin/sh
 
IPT="/sbin/iptables"
 
IP_PRIVATE="10.34.0.1" # <- A MODIFIER
NTINT="eth1"
 
test -f $IPT || exit 0
 
case "$1" in
start)
echo -n "Loading kanet firewall's rules: "
echo 1 > /proc/sys/net/ipv4/ip_forward
 
# Flush table
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -F
 
 
$IPT -t mangle -A PREROUTING -i $NTINT -j CONNMARK --restore-mark
$IPT -t mangle -A PREROUTING -p TCP -i $NTINT -d $IP_PRIVATE -j ACCEPT
$IPT -t mangle -A PREROUTING -p TCP -i $NTINT -m state --state NEW -j QUEUE
 
 
 
$IPT -t nat -A PREROUTING -p TCP -i $NTINT -j CONNMARK --save-mark
# MARK 0xFFFFFFFF = Openacls
$IPT -t nat -A PREROUTING -p TCP -i $NTINT -m mark --mark 0xFFFFFFFF -j ACCEPT
 
# MARK 0xFFFFFFFE = use http-to-https redirection (Not implemented)
#$IPT -t nat -A PREROUTING -p TCP -i $NTINT -m mark --mark 0xFFFFFFFE -j DNAT --to-destination $IP_PRIVATE
 
# MARK 0x0 = unauthenticated - 80 is redirected to authentication page
$IPT -t nat -A PREROUTING -p TCP --dport 80 -i $NTINT -m mark --mark 0 -j DNAT --to-destination $IP_PRIVATE:8080
 
$IPT -A INPUT -p tcp --dport 8181 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
 
 
# MARK 0x1 blacklistacls
$IPT -t filter -A FORWARD -m mark --mark 0x1 -j REJECT
 
$IPT -t nat -A POSTROUTING -m mark ! --mark 0 -j MASQUERADE
 
echo "Done."
;;
stop)
echo -n "Flushing kanet firewall's rules: "
echo 0 > /proc/sys/net/ipv4/ip_forward
 
###########################
# FLUSH TABLES
###########################
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
echo "Done."
;;
 
status)
# List tables
echo
echo "---------- FILTER TABLE -----------"
echo
$IPT -t filter -L -v
echo
echo "---------- NAT TABLE -----------"
echo
$IPT -t nat -L -v
echo
echo "---------- MANGLE TABLE -----------"
echo
$IPT -t mangle -L -v
echo
;;
restart|force-reload)
$0 stop
$0 start
echo "Done."
;;
 
*)
echo "Usage: /etc/init.d/kanet {start|stop|status|restart}"
exit 1
;;
esac
 
exit 0

pages web

  • Récupérer les fichiers d'origine
    cd /usr/local/share/kanet
    cp -r * /var/www/html/
  • Pour l'authentification triple, utiliser le fichier login.html ci-dessous
     

Configuration Apache

httpd.conf

# ...
ServerName eduspot.univ.fr
# ...
<IfModule worker.c>
StartServers 20
MaxClients 1000
MinSpareThreads 200
MaxSpareThreads 250
ThreadsPerChild 50
MaxRequestsPerChild 0
</IfModule>
# ...
Listen 8080
Listen 443
# ...

eduspot.conf

<VirtualHost 10.34.0.1:443>
SSLEngine On
 
SSLCertificateFile /REP/LE_CERTIF.crt
SSLCertificateKeyFile /REP/LE_CERTIF.key
SSLCertificateChainFile /REP/cachain.pem
SSLVerifyClient none
SSLProxyEngine On
 
Alias /www /var/www/html/
 
ProxyPreserveHost On
ProxyRequests On
ProxyPass /www !
ProxyPass /Shibboleth.sso !
ProxyPass / http://127.0.0.1:8181/ disablereuse=on retry=0 flushpackets=on
ProxyPassReverse / http://127.0.0.1/
ProxyTimeout 3
 
<location /www>
 
</location>
 
 
<location />
AuthType shibboleth
Require shibboleth
ShibUseHeaders On
</location>
 
<location /login_shibboleth>
Allow from all
AuthType shibboleth
ShibRequireSession On
require valid-user
</location>
 
 
 
ErrorLog /var/log/httpd/error_eduspot.log
LogLevel warn
CustomLog /var/log/httpd/access_eduspot.log combined
 
</VirtualHost>
<VirtualHost 10.34.0.1:8080>
RewriteEngine On
#RedirectMatch .* https://cas.univ.fr/cas/login/?service=https://eduspot.univ.fr/login_cas/
RedirectMatch .* https://eduspot.univ.fr/www/login.html
 
ErrorLog /var/log/httpd/error_eduspot.log
LogLevel warn
CustomLog /var/log/httpd/access_eduspot.log combined
 
</VirtualHost>

Radius

Modifier les fichiers radiusclient.conf et servers

radiusclient.conf

# ...
auth_order radius # Mettre uniquement radius et enlever local
# ...
authserver radius.univ.fr
# ...
acctserver radius.univ.fr
# ...

servers

# Indiquer le serveur et le pass
radius.univ.fr MON_PASS

SSO : CAS

Cf config kanet.conf et/ou documentation de Jérôme pour modifier à la fois le kanet.conf et le eduspot.conf (apache) pour de réaliser que des authentifications CAS.

Shibboleth

Packages

wget -O /etc/yum.repos.d/security_shibboleth.repo http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/security:shibboleth.repo
echo "protect=1" >> /etc/yum.repos.d/security_shibboleth.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-security http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/repodata/repomd.xml.key
yum install xmltooling log4shib xerces-c xml-security-c xmltooling opensaml shibboleth curl-openssl

Configuration

shibboleth2.xml pour la fédération de test

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
logger="syslog.logger" clockSkew="180">
 
<OutOfProcess logger="shibd.logger">
</OutOfProcess>
 
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="1" name="eduspot.univ.fr"/>
</ISAPI>
</InProcess>
 
<UnixListener address="shibd.sock"/>

<StorageService type="Memory" id="mem" cleanupInterval="900"/>
<SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
<ReplayCache StorageService="mem"/>
<ArtifactMap artifactTTL="180"/>
 
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="eduspot.univ.fr">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
 

<ApplicationDefaults id="default" policyId="default"
entityID="https://eduspot.fr/login_shibboleth"
REMOTE_USER="eppn targeted-id"
signing="false" encryption="false">
 

<Sessions lifetime="28800" timeout="3600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="false"
exportLocation="/Shibboleth.sso/GetAssertion"
idpHistory="false" idpHistoryDays="7">
 
<SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
<SessionInitiator type="WAYF" acsIndex="5" URL="https://services-federation.renater.fr/test/wayf/"/>
</SessionInitiator>
 
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
 
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
 
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
 
</Sessions>
 
<Errors supportContact="root@localhost"
logoLocation="/shibboleth-sp/logo.jpg"
styleSheet="/shibboleth-sp/main.css"/>
 
<MetadataProvider type="Chaining">

<MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"
backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
<MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
<MetadataFilter type="Signature" certificate="/etc/shibboleth/metadata-federation-renater.crt"/>
</MetadataProvider>
 
</MetadataProvider>
 
<TrustEngine type="Chaining">
<TrustEngine type="ExplicitKey"/>
<TrustEngine type="PKIX"/>
</TrustEngine>
 
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
 
<AttributeResolver type="Query" subjectMatch="true"/>
 
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 
<CredentialResolver type="File" key="/REP/LE_CERTIF.key" certificate="/REP/LE_CERTIF.crt"/>
 
</ApplicationDefaults>
 
<SecurityPolicies>
<Policy id="default" validate="false">
<PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
<PolicyRule type="Conditions">
<PolicyRule type="Audience"/>
</PolicyRule>
<PolicyRule type="ClientCertAuth" errorFatal="true"/>
<PolicyRule type="XMLSigning" errorFatal="true"/>
<PolicyRule type="SimpleSigning" errorFatal="true"/>
</Policy>
</SecurityPolicies>
 
</SPConfig>

Fichiers nécessaires

  • Récupérer le certificat de la fédération
    wget https://services-federation.renater.fr/metadata/metadata-federation-renater.crt -O /etc/shibboleth/metadata-federation-renater.crt
  • Récupérer les metadata
    wget https://services-federation.renater.fr/metadata/renater-test-metadata.xml -O /etc/shibboleth/renater-test-metadata.xml

Déclaration fédération renater

Informations techniques :

Récupération des IDP et CAS de la fédération

  → A REVOIR


Comments